b'   Report No. D-2008-125        September 2, 2008\n\n\n\n\nSummary of Information Assurance Weaknesses Found in\n     Audit Reports Issued From August 1, 2007,\n                Through July 31, 2008\n\x0cAdditional Information and Copies\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. If you have questions or would\nlike to obtain additional copies of the final report, contact Mr. Robert R. Johnson at (703)\n604-9024 (DSN 664-9024) or Ms. Celia J. Harrigan at (703) 604-9092 (DSN 664-9092).\n\nSuggestions for Audits\nTo suggest ideas for or to request future audits, contact the Office of the Deputy Inspector\nGeneral for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703) 604-8932. Ideas\nand requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                       Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nFISMA                  Federal Information Security Management Act\nGAO                    Government Accountability Office\nHSPD-12                Homeland Security Presidential Directive - 12\nNIST                   National Institute of Standards and Technology\nOMB                    Office of Management and Budget\n\x0c                                INSPECTOR GENERAL\n                                DEPARTMENT OF DEFENSE\n                                  400 ARMY NAVY DfllVE\n                             ARLINGTON, VIRGINIA 22202-4/04\n\n\n\n\n                                                                      September 2, 2008\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS\n                AND INFORMATION INTEGRATION/DOD CHIEF\n                INFORMATION OFFICER\n              ASSISTANT SECRETARY OF THE AIR FORCE\n                (FINANCIAL MANAGMEMENT AND COMPTROLLER)\n              NAVAL INSPECTOR GENERAL\n              AUDITOR GENERAL, DEPARTMENT OF THE ARMY\n\n\nSUBJECT: Report on Summary ofInformation Assurance Weaknesses Found in Audit\n         Reports Issued From August 1,2007, Through July 31, 2008 (Report No, D-\n         2008-125)\n\nWe are providing this summary report for information and use, We did not issue a draft\nreport because this report summarizes material that has already been published. This\nreport contains no recommendations; therefore, no written response to this report was\nrequired, and none was received.\n\nWe appreciate the courtesies extended to the staff. Questions should be directed to\nMr. Robert R. Johnson at (703) 604-9024 (DSN 664-9024) or Celia Harrigan at (703)\n604-9092 (DSN 664-9092). If you desire, we will provide formal briefing on the results.\nSee Appendix G for the report distribution. See team members are listed inside the back\ncover.\n\x0c\x0c                    Report No. D-2008-125 (Project No. D2008-D000LB-0128.000)\n                                        September 2, 2008\n\n\n               Results in Brief: Summary of Information\n               Assurance Weaknesses Found in Audit\n               Reports Issued From August 1, 2007,\n               Through July 31, 2008\n\n\nWhat We Did                                           What We Found\nThis report summarizes information assurance          Between August 1, 2007, and July 31, 2008, the\nweaknesses that the DoD Office of Inspector           DoD Office of Inspector General, Army Audit\nGeneral, Army Audit Agency, Naval Audit               Agency, Naval Audit Service, Air Force Audit\nService, Air Force Audit Agency, and                  Agency, and Government Accountability Office\nGovernment Accountability Office reported             issued 21 reports addressing a wide range of\nbetween August 1, 2007, and July 31, 2008. It         information assurance weaknesses that persist\nsupports the DoD Office of Inspector General          throughout DoD systems and networks. If these\nresponse to the Federal Information Security          weaknesses continue, they will impede the\nManagement Act (FISMA) of 2002, which                 ability of DoD to mitigate risks in a shared\nrequires that agencies submit to the Office of        information technology environment. Those\nManagement and Budget the results of an               risks include unauthorized access to information\nannual independent evaluation of the                  or information systems and their consequent\neffectiveness of their information security           loss, misuse, or modification. A loss of\nprograms and practices.                               information is itself unacceptable and could\n                                                      result in loss of mission effectiveness.\nThe evaluation should include testing of the\neffectiveness of information security policies,       What We Recommend\nprocedures, and practices of a subset of the\nagency\xe2\x80\x99s information systems and may be               This report contains no new recommendations\nbased, in whole or in part, on an audit,              because they were made in the reports we list in\nevaluation, or report relating to agency              this summary.\nprograms or practices.\n                                                      Client Comments\nThis report is the 10th information assurance         We did not issue a draft report because this\nsummary report issued by the DoD Office of            report summarizes material that has already\nInspector General since January 1999.                 been published. No written response to this\n                                                      report is required.\n\n\n\n\n                                                  i\n\x0c\x0cTable of Contents\n\nResults in Brief                                                                 i\n\nIntroduction                                                                     1\n\n      Objectives                                                                1\n      Background                                                                1\n\nFinding. Information Assurance Weaknesses Persist Throughout DoD                 3\n\nAppendixes\n      A.     Scope and Methodology                                               7\n      B.     Prior Coverage                                                      9\n      C.     Glossary                                                           11\n      D.     Audit Reports Issued From August 1, 2007, Through July 31, 2008,\n                 Identifying Information Assurance Weaknesses                   13\n      E.     Matrix of Information Assurance Weaknesses Reported From\n                 August 1, 2007, Through July 31, 2008                          15\n      F.     Audit Reports From Prior Information Assurance Summary Reports\n                 With Unresolved Recommendations                                17\n      G.     Report Distribution                                                21\n\x0c\x0cIntroduction\nObjectives\nThis is one in a series of summary reports that the DoD IG has issued annually since\n1999. The overall objective was to summarize reports by the DoD audit community and\nGovernment Accountability Office (GAO) between August 1, 2007, and July 31, 2008.\nThis summary report supports the DoD IG response to the requirements of FISMA. See\nAppendix A for a discussion of the scope and methodology, and Appendix B for prior\ncoverage related to the objective.\n\nBackground\nThis report is the 10th annual Information Assurance (IA) summary the DoD IG has\nissued since January 1999. The 10 IA reports summarize 426 reports on IA weaknesses.\n\nThis report supports the DoD IG response to section 3545 of Public Law 107-347, Title\nIII, \xe2\x80\x9cFederal Information Security Management Act,\xe2\x80\x9d December 17, 2002, requiring\nagencies to submit the results of an annual independent evaluation of the effectiveness of\ntheir information security policies, procedures, and practices to the Office of\nManagement and Budget (OMB). The evaluation results may be based, in whole or in\npart, on an audit, evaluation, or report relating to agency programs and practices.\n\nPrivacy Act of 1974\nThe intent of the Privacy Act of 1974, section 552a (as amended), Title 5, United States\nCode (5 U.S.C. 552a), is to require Federal agencies to protect individuals against\nunwarranted invasions of their privacy by limiting the collection, maintenance, use, and\ndisclosure of personal information about them. The Act requires that Federal agencies\nestablish information practices that restrict disclosure of personally identifiable records\nand grants individuals increased access to agency records maintained on them. The\nE-Government Act of 2002 additionally requires that Federal agencies protect the\ncollection of personal information in Federal Government information systems by\nconducting Privacy Impact Assessments. A Privacy Impact Assessment is an analysis of\nhow personal information is collected, stored, shared, and managed in Federal\ninformation technology systems.\n\nFederal Information Security Management Act\nFISMA provides a comprehensive framework for ensuring the effectiveness of IA\ncontrols over information resources that support Federal operations and assets. FISMA\nrequires that each agency develop, document, and implement an agency-wide IA program\nto provide IA for the information and information systems that support the operations and\nassets of the agency. Each agency is to comply with FISMA and related policies,\nprocedures, standards, and guidelines, including the information security standards\npromulgated under 40 U.S.C. 11331, \xe2\x80\x9cResponsibilities for Federal information systems\n\n\n\n\n                                             1\n\x0c standards.\xe2\x80\x9d Under 40 U.S.C. 11331, standards and guidelines for Federal information\nsystems are to be based on standards and guidelines developed by the National Institute\nof Standards and Technology (NIST).\n\nNational Institute of Standards and Technology\nTo meet its statutory responsibilities under FISMA, NIST, part of the U.S. Department of\nCommerce, developed a series of standards and guidelines to provide IA for operations\nand assets of Federal agencies. Specifically, the Computer Security Division of the\nInformation Technology Laboratory developed computer security prototypes, tests,\nstandards, and procedures designed to protect sensitive information from unauthorized\naccess or modification. Focus areas include cryptographic technology and applications,\nadvanced authentication, public key infrastructure, internetworking security, criteria and\nassurance, and security management and support. The standards and guidelines present\nthe results of NIST studies, investigations, and research on information technology\nsecurity.\n\nDoD Information Assurance Guidance\nDoD IA guidance includes the following directives and instructions.\n\n\n   \xe2\x80\xa2   DoD Directive 5400.11, \xe2\x80\x9cDoD Privacy Program,\xe2\x80\x9d May 8, 2007, which establishes\n       policy for the respect and protection of an individual\xe2\x80\x99s personal information and\n       fundamental right to privacy;\n\n   \xe2\x80\xa2   DoD Directive 8500.01E, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2002, which\n       establishes policy and assigns responsibility to achieve IA throughout DoD;\n\n   \xe2\x80\xa2   DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance Training, Certification, and\n       Workforce Management,\xe2\x80\x9d August 15, 2004, which establishes policy and assigns\n       responsibility for DoD IA training, certification, and workforce management;\n\n   \xe2\x80\xa2   DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February\n       6, 2003, which implements the policy, assigns responsibilities, and prescribes\n       procedures for applying integrated layered protection of DoD information systems\n       and networks as outlined in DoD Directive 8500.01E; and\n\n   \xe2\x80\xa2   DoD Instruction 8510.01, \xe2\x80\x9cDoD Information Assurance Certification and\n       Accreditation Process (DIACAP),\xe2\x80\x9d November 28, 2007, which establishes a\n       certification and accreditation process.\n\n\n\n\n                                            2\n\x0cFinding. Information Assurance Weaknesses\nPersist Throughout DoD\nBetween August 1, 2007, and July 31, 2008, the DoD audit community and GAO issued\n21 reports addressing a wide range of IA weaknesses that persist throughout DoD\nsystems and networks.1 This report summarizes those reports. If the IA weaknesses\ncontinue, they will impede the ability of DoD to mitigate risks in a shared information\ntechnology environment. Those risks include harm resulting from loss, misuse,\nunauthorized access, and modification of information or information systems. A loss of\ninformation in DoD information systems is itself unacceptable and could undermine\nmission effectiveness.\n\nReports on Information Assurance Weaknesses\nThe weaknesses identified in reports by the DoD audit community and GAO were\ndefined by FISMA, Homeland Security Presidential Directive \xe2\x80\x93 12, OMB memoranda,\nNIST standards and guidelines, and DoD guidance. The following table shows the\nnumber of DoD audit community and GAO reports, by agency, that identify weaknesses\nin IA areas. See Appendix C for a glossary of specialized terms.\n\n               Audit Reports Identifying Information Assurance Weaknesses\n                          (August 1, 2007, through July 31, 2008)\n                                                                  Military\n                    IA Areas                   GAO DoD IG Departments Total\n\n           Access Controls                              0          3             6    9\n           Certification and Accreditation              1          1             2    4\n           Configuration Management                     1          3             4    8\n           Contingency Plans                            0          1             1    2\n           Continuity of Operations Plans               0          2             2    4\n           Information Systems\n               Inventory Reporting                      1          0             2    3\n           Incident Handling                            0          2             0    2\n           Personnel Security                           0          2             0    2\n           Physical Security                            0          3             0    3\n           Plan of Action and Milestones                1          1             1    3\n           Privacy Act Information                      0          3             1    4\n           Risk, Threat, and Vulnerability\n               Assessment                               0          0             5    5\n           Security Awareness, Training,\n               Education                                1          1             2    4\n           Security Policies and Procedures/\n               Management Oversight                     2          5             8   15\n\n\n\n\n1\n    DoD IG reported similar IA weaknesses in nine previous IA summary reports.\n\n\n                                                    3\n\x0cTypes of Weaknesses\nReports issued during the reporting period most frequently cited weaknesses in the\nfollowing IA areas: access controls; configuration management; risk, threat, and\nvulnerability assessments; privacy act information; and policies and\nprocedures/management oversight. See Appendix D for a list of reports reviewed for this\nIA summary report and Appendix E for a matrix of the specific IA weaknesses listed by\nreport.\n\nAccess Controls\nAccess controls limit access to information system resources to authorized users,\nprograms, processes, or other systems. The DoD audit community reported weaknesses\nrelated to access controls in nine reports. The weaknesses related to:\n\n\xe2\x80\xa2   user account management, for example, management did not always update\n    privileges, document multiple systems access, perform system access reviews, or\n    develop a role-based access scheme for assigning rights;\n\xe2\x80\xa2   controls over segregation of duties, validity checks, and error reporting, which needed\n    improvement; and\n\xe2\x80\xa2   development and implementation of the required audit trail for recording changes in\n    user access and permissions.\n\nConfiguration Management\nConfiguration management is management of security features and assurances through\ncontrol of changes made to hardware, software, firmware, documentation, test, test\nfixtures, and test documentation throughout the life cycle of an information system. The\nDoD audit community identified weaknesses related to configuration management in\neight reports. The reports identified such weaknesses as the following:\n\n\xe2\x80\xa2   the Army, Air Force, and Navy are still in the initial stage of adopting GAO\xe2\x80\x99s\n    architecture maturity framework;\n\xe2\x80\xa2   hardware being used does not meet the established minimum encryption\n    requirements; and\n\xe2\x80\xa2   implementation of information system migration policy is ineffective.\n\nRisk, Threat, and Vulnerability Assessments\nThe reports identified weaknesses in performing risk, threat, and vulnerability\nassessments that could be used as a basis for identifying appropriate and cost-effective\nsecurity measures. The DoD audit community reported weaknesses relating to risk,\nthreat, and vulnerability assessments in five issued reports.\n\n\n\n\n                                             4\n\x0cPrivacy Act Information\nAgencies are required to limit the collection, maintenance, use, and disclosure of privacy\ninformation on individuals. The DoD audit community identified weaknesses related to\nPrivacy Act information in four reports. The reports identified weaknesses related to:\n\n\xe2\x80\xa2   notifying the public of the risk of unauthorized disclosure of Personally Identifiable\n    Information;\n\n\xe2\x80\xa2   displaying the full Social Security Number on the Geneva Convention Credential,\n    increasing the risk of identity theft; and\n\n\xe2\x80\xa2   not implementing controls over property that contains sensitive or classified\n    personally identifiable information.\n\nPolicies and Procedures/Management Oversight\nThe audit reports identified weaknesses in policies and procedures/management\noversight. The DoD audit community and GAO reported weaknesses relating to\nmanagement oversight in 15 issued reports. One report containing numerous examples of\nmanagement oversight weaknesses pertained to the implementation of Homeland\nSecurity Presidential Directive (HSPD-12).\n\nOn August 27, 2004, President Bush directed Federal agencies to implement a\nGovernment-wide standard for secure and reliable forms of identification for Government\nemployees and contractors to increase the security of Federal facilities and information\nsystems. DoD IG Report No. D-2008-104 found that DoD has not met key HSPD-12\nimplementation milestones for completion of background checks, verification of\ncompleted or initiated background checks, or Government-wide interoperability.\nAdditionally, DoD must modify its current Geneva Convention Personal Identity\nVerification credential to reduce the potential for identity fraud. The DoD\xe2\x80\x99s continued\ndeferment of full implementation of HSPD-12 is preventing DoD Components from\nrealizing the intended benefits of improving security, increasing Government efficiency,\nreducing identity fraud, increasing protection of personal privacy, and reducing potential\nfor terrorist exploitation.\n\nUnresolved Recommendations\nThe nine previous IA annual reports summarized 405 reports on IA weaknesses\nthroughout DoD. Of those 405 reports, 50 have unresolved recommendations, meaning\nmanagement has not yet corrected agreed-upon IA weaknesses more than 12 months\nfollowing the report issue date. Prompt action to correct the outstanding weaknesses is\nnecessary to mitigate ongoing vulnerabilities in the DoD IA program. See Appendix F\nfor a listing of reports with unresolved recommendations relating to IA weaknesses.\n\n\n\n\n                                             5\n\x0cConclusions\nMany of the weaknesses reported occurred because management of security programs\nwas inadequate and security policies and procedures were not in place. Without effective\nmanagement oversight, DoD cannot be assured that systems are accurately reported and\nmaintained, information systems portray accurate and reliable data, and personnel are\nproperly trained in security policies and procedures. Effective management oversight\nmay reduce the risk of persistent IA weaknesses, thereby increasing assurance that DoD\ninformation systems maintain an appropriate level of confidentiality, integrity,\nauthentication, nonrepudiation, and availability.\n\n\n\n\n                                           6\n\x0cAppendix A. Scope and Methodology\nThis report summarizes the DoD IA weaknesses identified in 21 reports that GAO and\nthe DoD audit community issued from August 1, 2007, through July 31, 2008. To\nprepare this summary, we reviewed the Web sites of GAO and each component audit\norganization, as well as requested reports discussing IA weaknesses from these\norganizations. We also reviewed prior IA summary reports and, with the assistance of\nDoD audit community and GAO follow-up organizations, summarized reports with\nunresolved recommendations on IA weaknesses.\n\nThis summary report does not make recommendations because they were made in the\nsummarized reports. We did not follow generally accepted government auditing\nstandards in conducting this project because it is a summary project. We did not\nsummarize congressional testimonies because our review of IA testimonies issued during\nthe reporting period identified that the testimonies did not apply specifically, if at all, to\nDoD. Also, we did not include independent tests of management controls or validate the\ninformation or results reported in the summarized reports. This summary report supports\nthe DoD IG responses to the OMB questions relating to FISMA. We conducted this\nsummary work from February through August 2008.\n\nUse of Computer-Processed Data\nWe did not use computer-processed data when compiling information for this summary\nreport.\n\n\n\n\n                                              7\n\x0c8\n\x0cAppendix B. Prior Coverage\nDoD IG has issued nine information security summary reports. Unrestricted DoD IG\nreports can be accessed at http://www.dodig.osd.mil/audit/reports. The remainder of the\nreports are For Official Use Only and can be obtained by contacting the Freedom of\nInformation Act Requester Service Center at (703) 604-9775 (DSN 664-9775) or fax\n(703) 602-0294.\n\nDoD IG Report No. D-2007-123, \xe2\x80\x9cSummary of Information Assurance Weaknesses\nFound in Audit Reports Issued from August 1, 2006, Through July 31, 2007,\xe2\x80\x9d September\n12, 2007\n\nDoD IG Report No. D-2006-110, \xe2\x80\x9cSummary of Information Assurance Weaknesses\nFound in Audit Reports Issued from August 1, 2005, through July 31, 2006,\xe2\x80\x9d September\n14, 2006\n\nDoD IG Report No. D-2005-110, \xe2\x80\x9cSummary of Information Security Weaknesses\nReported by Major Oversight Organizations From August 1, 2004, through July 31, 2005\n(FOUO),\xe2\x80\x9d September 23, 2005\n\nDoD IG Report No. D-2004-116, \xe2\x80\x9cInformation Security Weaknesses Reported by Major\nOversight Organizations From August 1, 2003, through July 31, 2004 (FOUO),\xe2\x80\x9d\nSeptember 23, 2004\n\nDoD IG Report No. D-2004-038, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A Summary of\nResults Reported from August 1, 2002, through July 31, 2003 (FOUO),\xe2\x80\x9d December 22,\n2003\n\nDoD IG Report No. D-2003-024, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 An Evaluation of\nAudit Results Reported From August 23, 2001, through July 31, 2002 (FOUO),\xe2\x80\x9d\nNovember 21, 2002\n\nDoD IG Report No. D2001-182, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A Summary of\nAudit Results Reported April 1, 2000, through August 22, 2001 (FOUO),\xe2\x80\x9d September 19,\n2001\n\nDoD IG Report No. D2000-124, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A Summary of\nAudit Results Reported December 1, 1998, through March 31, 2000 (FOUO),\xe2\x80\x9d May 15,\n2000\n\nDoD IG Report No. 99-069, \xe2\x80\x9cSummary of Audit Results \xe2\x80\x93 DoD Information Assurance\nChallenges,\xe2\x80\x9d January 22, 1999\n\n\n\n\n                                           9\n\x0c10\n\x0cAppendix C. Glossary\nAccess Controls \xe2\x80\x93 Access controls limit information system resources to authorized\nusers, programs, processes, or other systems.\nAudit Trail \xe2\x80\x93 An audit trail is a chronological record of system activities that enable the\nreconstruction and examination of the sequence of events and/or changes in an event.\nCertification and Accreditation \xe2\x80\x93 Certification and accreditation is a combined process\nthat makes up the DoD Information Assurance Certification and Accreditation Process.\n   \xe2\x80\xa2   Accreditation \xe2\x80\x93 Accreditation is the formal declaration by a designated\n       accrediting authority that an information system is approved to operate in a\n       particular security mode at an acceptable level of risk, based on the\n       implementation of an approved set of technical, managerial, and procedural\n       safeguards.\n   \xe2\x80\xa2   Certification \xe2\x80\x93 Certification is a comprehensive evaluation of the technical and\n       nontechnical security safeguards of an information system to support the\n       accreditation process that establishes the extent to which a particular design and\n       implementation meets a set of specified security requirements.\nConfiguration Management \xe2\x80\x93 Configuration management is the management of\nsecurity features and assurances through control of changes made to hardware, software,\nfirmware, documentation, test, test fixtures, and test documentation throughout the life\ncycle of an information system.\nContingency Plan \xe2\x80\x93 A contingency plan is maintained for emergency response, backup\noperations, and post-disaster recovery of an information system to ensure the availability\nof critical resources and to facilitate the continuity of operations in an emergency\nsituation.\nContinuity of Operations Plan \xe2\x80\x93 A continuity of operations plan is a plan for continuing\nan organization\xe2\x80\x99s essential functions at an alternate site and performing those functions\nfor the duration of an event with little or no loss of continuity before returning to normal\noperations.\nInformation Systems Inventory Reporting \xe2\x80\x93 The head of each agency must develop\nand maintain an inventory of major information systems, including major national\nsecurity systems, operated by or under the control of the agency. The inventory of\ninformation systems or networks should include those not operated by or under the\ncontrol of the agency.\nIncident Response \xe2\x80\x93 Also known as incident handling, incident response is the\nmitigation of violations of security policies and recommended practices.\nPersonnel Security \xe2\x80\x93 The objective of the Personnel Security Program is to ensure that\nthe military, civilian, and contractor personnel assigned to and retained in sensitive\npositions in which they could potentially damage national security are, and remain,\n\n\n                                            11\n\x0creliable and trustworthy, and no reasonable basis exists for doubting their allegiance to\nthe United States. Assignment to sensitive duties is granted only to individuals who are\nU.S. citizens and for whom an appropriate investigation has been completed.\nPhysical Security \xe2\x80\x93 Physical security refers to measures taken to protect systems,\nbuildings, and related supporting infrastructure against threats associated with their\nphysical environment.\nPlan of Action and Milestones \xe2\x80\x93 A plan of action and milestones is a tool that identifies\ntasks that need to be accomplished. A plan of action and milestones details resources\nrequired to accomplish the elements of the plan, any milestones in meeting the task, and\nscheduled completion dates for the milestones. The purpose of a plan of action and\nmilestones is to assist agencies in identifying, assessing, prioritizing, and monitoring the\nprogress of corrective efforts for security weaknesses found in programs and systems.\nPolicies and Procedures \xe2\x80\x93 Policies and procedures are the aggregate of directives,\nregulations, rules, and practices that regulate how an organization manages, protects, and\ndistributes information. Information security policy can be contained in public laws,\nExecutive orders, DoD Directives, and local regulation.\n\nPrivacy Act Information \xe2\x80\x93 Privacy Act information is personal information about an\nindividual that links, relates, or is unique to or identifies or describes him or her, such as\nSocial Security number; age; military rank; civilian grade; marital status; race; salary;\nhome or office phone numbers; and other demographic, biometric, personal, medical, and\nfinancial information. This information is also referred to as personally identifiable\ninformation, or that which can be used to distinguish or trace an individual\xe2\x80\x99s identity.\nRisk Assessment \xe2\x80\x93 Risk assessment is an analysis of threats to and vulnerabilities of\ninformation systems and the potential impact resulting form the loss of an information\nsystem and its capabilities. The analysis is used as a basis for identifying appropriate and\ncost-effective security measures.\nSecurity Awareness, Training, and Education\n   \xe2\x80\xa2   Awareness \xe2\x80\x93 Awareness is a learning process that sets the stage for training by\n       changing individual and organization attitudes to realize the importance of\n       security and the adverse consequences of its failure.\n   \xe2\x80\xa2   Training \xe2\x80\x93 Training is teaching people the knowledge and skills about\n       information security that will enable them to perform their jobs more effectively.\n   \xe2\x80\xa2   Education \xe2\x80\x93 Education focuses on developing the ability and vision to perform\n       complex, multidisciplinary activities and the skills needed to further the\n       information technology security profession. Education activities include research\n       and development to keep pace with changing technologies.\nSegregation of Duties \xe2\x80\x93 Segregation of duties refers to dividing roles and responsibilities\nso that a single individual cannot subvert a critical process.\n\n\n\n\n                                             12\n\x0cAppendix D. Audit Reports Issued From\nAugust 1, 2007, Through July 31, 2008,\nIdentifying Information Assurance\nWeaknesses\nGAO\nGAO Report No. GAO-07-528, \xe2\x80\x9cInformation Security - Selected Departments Need to\nAddress Challenges in Implementing Statutory Requirements,\xe2\x80\x9d August 2007\n\nGAO Report No. GAO-08-519, \xe2\x80\x9cDoD Business Systems Modernization - Military\nDepartments Need to Strengthen Management of Enterprise Architecture Programs,\xe2\x80\x9d\nMay 2008\n\nGAO Report No. GAO-08-705, \xe2\x80\x9cDoD Business Systems Modernization - Progress in\nEstablishing Corporate Management Controls Needs to be Replicated Within Military\nDepartments,\xe2\x80\x9d May 2008\n\nDoD IG\nDoD IG Report No. D-2008-047, \xe2\x80\x9cContingency Planning for DoD Mission-Critical\nInformation Systems,\xe2\x80\x9d February 5, 2008\n\nDoD IG Report No. D-2008-077, \xe2\x80\x9cUnited States Army Corps of Engineers Financial\nManagement System,\xe2\x80\x9d April 08, 2008 (FOUO)\n\nDoD IG Report No. D-2008-101, \xe2\x80\x9cGeneral Controls Over the Standard Accounting,\nBudgeting, and Reporting System (SABRS),\xe2\x80\x9d June 6, 2008\n\nDoD IG Report No. D-2008-104, \xe2\x80\x9cDoD Implementation of Homeland Security\nPresidential Directive-12,\xe2\x80\x9d June 23, 2008\nDoD IG Report No. D-2008-109, \xe2\x80\x9cControls and Compliance of the Joint Personnel\nAdjudication System,\xe2\x80\x9d July 21 2008 (FOUO)\n\nDoD IG Report No. D-2008-114, \xe2\x80\x9cAccountability for Defense Security Service Assets\nWith Personally Identifiable Information,\xe2\x80\x9d July 24, 2008\n\nArmy Audit Agency\nArmy Audit Agency Report No. A-2007-0223-FFI, \xe2\x80\x9cInstallation Campus Area Network\nConnectivity - Wireless Devices, Redstone Arsenal, Alabama\xe2\x80\x9d (FOUO), 28 September\n2007\n\nArmy Audit Agency Report No. A-2007-0225-FFI, \xe2\x80\x9cInstallation Campus Area Network\nConnectivity - Wireless Devices, Fort Knox, Kentucky\xe2\x80\x9d (FOUO), 28 September 2007\n\nArmy Audit Agency Report No. A-2008-0186-FFI, \xe2\x80\x9cInstallation Campus Area Network\nConnectivity - Wireless Devices - Summary Report,\xe2\x80\x9d July 8, 2008\n\n\n                                         13\n\x0cNaval Audit Service\nNaval Audit Service Report No. N2008-0022, \xe2\x80\x9cManagement of Privacy Act Information\nat the Navy Recruiting Command,\xe2\x80\x9d February 14, 2008 (FOUO)\n\nNaval Audit Service Report No. NAS Report No. N2008-0023, \xe2\x80\x9cInformation Security\nwithin the Marine Corps,\xe2\x80\x9d February 20, 2008 (FOUO)\n\nAir Force Audit Agency\nAir Force Audit Agency Report No. F2007-0009-FB4000, \xe2\x80\x9cContinuity of Operations\nPlans For Computer Networks\xe2\x80\x9d (FOUO), August 24, 2007\n\nAir Force Audit Agency Report No. F2008-0002-FB2000, \xe2\x80\x9cWeb Content Migration to\nThe Global Combat Support Systems-Air Force Framework,\xe2\x80\x9d February 22, 2008\n\nAir Force Audit Agency Report No. F2008-0003-FB2000[1], \xe2\x80\x9cEnterprise Information\nTechnology Data Repository Effectiveness As Portfolio Management Tool,\xe2\x80\x9d February\n25, 2008\n\nAir Force Audit Agency Report No. F2008-0003-FB4000, \xe2\x80\x9cAir Force Portal Access and\nRights Management\xe2\x80\x9d (FOUO), February 22, 2008\n\nAir Force Audit Agency Report No. F2008-0002-FB1000, \xe2\x80\x9cFollow-up Audit,\nComptroller Quality Assurance Program,\xe2\x80\x9d April 1, 2008\n\nAir Force Audit Agency Report No. F2008-0004-FB4000, \xe2\x80\x9cInformation Systems\nInventory\xe2\x80\x9d (FOUO), June 4, 2008\n\nAir Force Audit Agency Report No. F2008-0007-FD1000, \xe2\x80\x9cHurricane Disaster\nPlanning,\xe2\x80\x9d June 4, 2008\n\n\n\n\n                                        14\n\x0cAppendix E. Matrix of Information\nAssurance Weaknesses Reported From\nAugust 1, 2007, Through July 31, 2008\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Security Policies and Procedures/\n                                                                                                                                                                                                                                                                                                                 Risk, Threat, and Vulnerability\n                                          Certification and Accreditation\n\n\n\n\n                                                                                                                          Continuity of Operations Plans\n\n\n\n\n                                                                                                                                                                                                                                                      Plan of Actions and Milestones\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Security Awareness, Training,\n                                                                                                                                                           Federal Information Systems\n                                                                            Configuration Management\n\n\n\n\n                                                                                                                                                                                                                                                                                       Privacy Act Information\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Management Oversight\n                                                                                                                                                           Inventory Reporting\n\n\n\n                                                                                                                                                                                                             Personnel Security\n                                                                                                                                                                                         Incident Handling\n                                                                                                       Contingency Plan\n\n\n\n\n                                                                                                                                                                                                                                  Physical Security\n                        Access Controls\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Assessment\n\n                                                                                                                                                                                                                                                                                                                 Education\n      Agency\n    Report No.\n    Government\nAccountability Office\n    GAO-07-528                            X                                                                                                                       X                                                                                   X                                                                        X          X\n    GAO-08-519                                                              X\n    GAO-08-705                                                                                                                                                                                                                                                                                                                            X\n      Office of\nInspector General of\n      the DoD\n     D-2008-047                                                                                        X                                                                                                                                                                                                                                  X\n     D-2008-077         X                                                   X                                             X                                                              X                                        X                                                                                            X          X\n     D-2008-101         X                                                                                                                                                                                                                                                                                                                 X\n     D-2008-104                                                             X                                                                                                                                X                    X                   X                                X                                                  X\n     D-2008-109         X                 X                                 X                                             X                                                              X                   X                    X                                                    X                                                  X\n     D-2008-114                                                                                                                                                                                                                                                                        X\n     Army\n  Audit Agency\n A-2007-0223-FFI        X                                                   X                                                                                                                                                                                                                                      X                      X\n A-2007-0225-FFI        X                                                   X                                                                                                                                                                                                                                      X                      X\n A-2008-0186-FFI        X                                                   X                                                                                                                                                                                                                                      X           X          X\n\nNaval Audit Service\n\n   N2008-0022                                                                                                                                                                                                                                                                          X\n   N2008-0023           X                 X                                                                               X                                                                                                                           X                                                            X           X          X\n  Air Force Audit\n      Agency\nF2007-0009-FB4000                                                                                                         X\nF2008-0002-FB2000                                                           X                                                                                                                                                                                                                                                             X\n\n\n\n                                                                                                                                                 15\n\x0c                                                                                                               Agency\n                                                                                                              Report No.\n\n\n\n\n                              F2008-0004-FB4000\n                                                  F2008-0002-FB1000\n                                                                                          F2008-0003-FB2000\n                                                                      F2008-0003-FB4000\n\n\n\n\n          F2008-0007-FD1000\n\n     9\n                                                  X\n                                                                      X\n                                                                                                              Access Controls\n\n\n\n\n     4\n                              X\n                                                                                                              Certification and Accreditation\n\n\n\n\n     8\n                                                                                                              Configuration Management\n\n\n\n\n     2\n          X\n                                                                                                              Contingency Plan\n\n\n\n     4\n                                                                                                              Continuity of Operations Plans\n\n\n\n\n16\n     3                                                                                                        Federal Information Systems\n                              X\n                                                                                          X\n\n\n\n\n                                                                                                              Inventory Reporting\n     2\n\n                                                                                                              Incident Handling\n     2\n\n\n\n                                                                                                              Personnel Security\n     3\n\n\n\n\n                                                                                                              Physical Security\n     3\n\n\n\n\n                                                                                                              Plan of Actions and Milestones\n     4\n\n\n\n\n                                                                                                              Privacy Act Information\n                                                                                                              Risk, Threat, and Vulnerability\n     5\n                                                  X\n\n\n\n\n                                                                                                              Assessment\n                                                                                                              Security Awareness, Training,\n     4\n\n\n\n\n                                                                                                              Education\n                                                                                                              Security Policies and Procedures/\n          X\n                                                  X\n                              X\n\n\n\n     15\n\n\n\n\n                                                                                                              Management Oversight\n\x0cAppendix F. Audit Reports From Prior\nInformation Assurance Summary Reports\nWith Unresolved Recommendations\nIA weaknesses continue to exist throughout DoD. Of the 405 reports included in 9 prior\nIA summary reports, 50 had unresolved recommendations; management had not\ncorrected agreed-upon IA weaknesses within 12 months of the report issue date. The list\nof reports with unresolved recommendations was compiled based on information GAO\nand the DoD audit community provided in July 2008 and may be incomplete because of\nthe extent of information maintained in their respective follow-up systems.\n\nGAO\nGAO Report No. GAO-06-31, \xe2\x80\x9cThe Defense Logistics Agency Needs to Fully Implement\nIts Security Program,\xe2\x80\x9d October 7, 2005\n\nDoD IG\nDoD IG Report No. D-2007-099, \xe2\x80\x9cReport on Audit of Privacy Program and Privacy\nImpact Assessments,\xe2\x80\x9d June 13, 2007\n\nDoD IG Report No. D-2007-089, \xe2\x80\x9cSelected Controls for Information Security of the\nU.S. Transportation Command\xe2\x80\x99s Integrated Computerized Deployment System (FOUO),\xe2\x80\x9d\nApril 30, 2007\n\nDoD IG Report No. D-2007-082, \xe2\x80\x9cDefense Information Systems Agency Controls over\nthe Center for Computing Services,\xe2\x80\x9d April 9, 2007\n\nDoD IG Report No. D-2007-040, \xe2\x80\x9cThe General and Application Controls over the\nFinancial Management System at the Military Sealift Command,\xe2\x80\x9d January 2, 2007\n\nDoD IG Report No. D-2007-039, \xe2\x80\x9cAudit of Information Assurance of Missile Defense\nAgency Information Systems (FOUO),\xe2\x80\x9d December 21, 2006\n\nDoD IG Report No. D-2007-025, \xe2\x80\x9cAcquisition of the Pacific Mobile Emergency Radio\nSystem (FOUO),\xe2\x80\x9d November 22, 2006\n\nDoD IG Report No. D-2007-006, \xe2\x80\x9cHurricane Katrina Disaster Recovery Efforts Related\nto Army Information Technology Resources,\xe2\x80\x9d October 19, 2006\n\nDoD IG Report No. D-2006-107, \xe2\x80\x9cDefense Departmental Reporting System and Related\nFinancial Statement Compilation Process Controls Placed in Operation and Tests of\nOperating Effectiveness for the Period October 1, 2004, through March 31, 2005\n(FOUO),\xe2\x80\x9d August 18, 2006\n\n\n\n\n                                          17\n\x0cDoD IG Report No. D-2006-096, \xe2\x80\x9cSelect Controls for the Information Security of the\nCommand and Control Battle Management Communications System (FOUO),\xe2\x80\x9d July 14,\n2006\n\nDoD IG Report No. D-2006-079, \xe2\x80\x9cReview of the Information Security Operational\nControls of the Defense Logistics Agency\xe2\x80\x99s Business Systems Modernization Energy,\xe2\x80\x9d\nApril 24, 2006\n\nDoD IG Report No. D-2006-078, \xe2\x80\x9cDefense Information Systems Agency Encore II\nInformation Technology Solutions Contract (FOUO),\xe2\x80\x9d April 21, 2006\n\nDoD IG Report No. D-2006-069, \xe2\x80\x9cTechnical Report on the Defense Business\nManagement System (FOUO),\xe2\x80\x9d April 3, 2006\n\nDoD IG Report No. D-2006-060, \xe2\x80\x9cSystem Engineering Planning for the Ballistic Missile\nDefense System (FOUO),\xe2\x80\x9d March 3, 2006\n\nDoD IG Report No. D-2006-053, \xe2\x80\x9cSelect Controls for the Information Security of the\nGround-Based Midcourse Defense Communications Network,\xe2\x80\x9d February 24, 2006\n\nDoD IG Report No. D-2006-052, \xe2\x80\x9cDoD Organization Information Assurance\nManagement of Information Technology Goods and Services Acquired Through\nInteragency Agreement,\xe2\x80\x9d February 23, 2006\n\nDoD IG Report No. D-2006-046, \xe2\x80\x9cTechnical Report on the Defense Property\nAccountability System (FOUO),\xe2\x80\x9d January 27, 2006\n\nDoD IG Report No. D-2006-042, \xe2\x80\x9cSecurity Status for Systems Reported in DoD\nInformation Technology Databases,\xe2\x80\x9d December 30, 2005\n\nDoD IG Report No. D-2006-030, \xe2\x80\x9cReport on Diagnostic Testing at the Defense\nInformation Systems Agency, Center for Computing Services (FOUO),\xe2\x80\x9d November 30,\n2005\n\nDoD IG Report No. D-2006-003, \xe2\x80\x9cSecurity Controls Over Selected Military Health\nSystem Corporate Databases (FOUO),\xe2\x80\x9d October 7, 2005\n\nDoD IG Report No. D-2005-099, \xe2\x80\x9cStatus of Selected DoD Policies on Information\nTechnology Governance,\xe2\x80\x9d August 19, 2005\n\nDoD IG Report No. D-2005-094, \xe2\x80\x9cProposed DoD Information Assurance Certification\nand Accreditation Process (FOUO),\xe2\x80\x9d July 21, 2005\n\nDoD IG Report No. D-2005-069, \xe2\x80\x9cAudit of the General and Application Controls of the\nDefense Civilian Pay System (FOUO),\xe2\x80\x9d May 13, 2005\n\nDoD IG Report No. D-2005-054, \xe2\x80\x9cAudit of the DoD Information Technology Security\nCertification and Accreditation Process (FOUO),\xe2\x80\x9d April 28, 2005\n\nDoD IG Report No. D-2005-033, \xe2\x80\x9cImplementation of Interoperability and Information\nAssurance Policies for Acquisition of Navy Systems,\xe2\x80\x9d February 2, 2005\n\nDoD IG Report No. D-2004-041, \xe2\x80\x9cThe Security of the Army Corps of Engineers\nEnterprise Infrastructure Services Wide-Area Network (FOUO),\xe2\x80\x9d December 26, 2003\n\n                                         18\n\x0cDoD IG Report No. D-2004-008, \xe2\x80\x9cImplementation of Interoperability and Information\nAssurance Policies for Acquisition of Army Systems,\xe2\x80\x9d October 15, 2003\n\nDoD IG Report No. D-2003-134, \xe2\x80\x9cSystem Security of the Army Corps of Engineers\nFinancial Management System (FOUO),\xe2\x80\x9d September 15, 2003\n\nDoD IG Report No. D-2001-148, \xe2\x80\x9cAutomated Transportation Payments,\xe2\x80\x9d June 22, 2001\n\nDoD IG Report No. D-2001-141, \xe2\x80\x9cAllegations to the Defense Hotline on the Defense\nSecurity Assistance Management System,\xe2\x80\x9d June 19, 2001\n\nArmy Audit Agency\nArmy Audit Agency Report No. A-2006-0199-FFI, \xe2\x80\x9cInstallation Campus Area Network\nConnectivity - Terrestrial-Based Connections,\xe2\x80\x9d September 29, 2006\n\nArmy Audit Agency Report No. A-2006-0181-FFI, \xe2\x80\x9cInstallation Campus Area Network\nConnectivity - Wireless Networks (U.S. Army Garrison, Aberdeen Proving Ground,\nMaryland),\xe2\x80\x9d September 28, 2006\n\nNaval Audit Services\nNaval Audit Service Report No. N2007-0017, \xe2\x80\x9cOrdnance Information System (FOUO),\xe2\x80\x9d\nFebruary 28, 2007\n\nNaval Audit Services Report No. N2005-0049, \xe2\x80\x9cInformation Security Controls at Naval\nShipyards,\xe2\x80\x9d July 7, 2005\n\nNaval Audit Services Report No. N2005-0036, \xe2\x80\x9cVerification of the Reliability and\nValidity of the Navy Enlisted System Data (FOUO),\xe2\x80\x9d March 30, 2005\n\nNaval Audit Services Report No. N2004-0063, \xe2\x80\x9cInformation Security - Operational\nControls at Naval Aviation Depots,\xe2\x80\x9d July 9, 2004\n\nNaval Audit Services Report No. N2003-0012, \xe2\x80\x9cVerification of the Reliability and\nValidity of the Department of the Navy\xe2\x80\x99s Total Force Manpower Management System\n(TFMMS) Data,\xe2\x80\x9d November 8, 2002\n\nAir Force Audit Agency\nAir Force Audit Agency Report No. F2007-0005-FB2000, \xe2\x80\x9cStandard Base Supply\nSystem Controls,\xe2\x80\x9d July 13, 2007\n\nAir Force Audit Agency Report No. F2007-0004-FB2000, \xe2\x80\x9cReliability, Availability,\nMaintainability Support System for Electronic Combat Pods System Controls,\xe2\x80\x9d\nMay 25, 2007\n\nAir Force Audit Agency Report No. F2007-0004-FB4000, \xe2\x80\x9cSecurity of Remote\nComputer Devices (FOUO),\xe2\x80\x9d March 13, 2007\n\nAir Force Audit Agency Report No. F2007-0001-FB4000, \xe2\x80\x9cSelected Aspects of\nComputer Network Intrusion Detection (FOUO),\xe2\x80\x9d December 12, 2006\n\n\n\n\n                                          19\n\x0cAir Force Audit Agency Report No. F2006-0011-FB2000, \xe2\x80\x9cAir Force Equipment\nManagement System Controls,\xe2\x80\x9d September 25, 2006\n\nAir Force Audit Agency Report No. F2006-0009-FB2000, \xe2\x80\x9cContract Writing System\nControls,.\xe2\x80\x9d August 3, 2006\n\nAir Force Audit Agency Report No. F2006-0008-FB2000, \xe2\x80\x9cSystem Controls for Item\nManager Wholesale Requisition Process System,\xe2\x80\x9d June 21, 2006\n\nAir Force Audit Agency Report No. F2006-0007-FB2000, \xe2\x80\x9cMissile Readiness Integrated\nSupport Facility/Integrated Missile Database System Controls,\xe2\x80\x9d May 30, 2006\n\nAir Force Audit Agency Report No. F2006-0006-FB2000, \xe2\x80\x9cControls for the Wholesale\nand Retail Receiving and Shipping System,\xe2\x80\x9d May 19, 2006\n\nAir Force Audit Agency Report No. F2006-0004- FB2000, \xe2\x80\x9cImplementation of Selected\nAspects of Security in Air Force Systems,\xe2\x80\x9d April 17, 2006\n\nAir Force Audit Agency Report No. F2004-0006-FB2000, \xe2\x80\x9cSystem Controls for\nReliability and Maintainability Information System,\xe2\x80\x9d September 27, 2004\n\nAir Force Audit Agency Report No. F2004-0006-FB4000, \xe2\x80\x9cVisibility of Air Force\nInformation Technology Resources,\xe2\x80\x9d May 4, 2004\n\nAir Force Audit Agency Report No. 00054006, \xe2\x80\x9cAir Force Restoration Information\nManagement System Controls,\xe2\x80\x9d May 18, 2001\n\n\n\n\n                                        20\n\x0cAppendix G. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Networks and Information Integration/Chief\n   Information Officer\nAssistant Secretary of Defense for Health Affairs/Chief Information Officer\nAssistant Secretary of Defense for Intelligence Oversight/Chief Information Officer\nChief Information Officer, Office of the Secretary of Defense\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\nChief Information Officer, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\nChief Information Officer, Department of Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nNaval Inspector General\nAuditor General, Department of the Navy\nChief Information Officer, Department of the Navy\nChief Information Officer, U.S. Marine Corps\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\n\nUnified Commands\nChief Information Officer, U.S. Central Command\nChief Information Officer, U.S. European Command\nChief Information Officer, U.S. Joint Forces Command\nChief Information Officer, U.S. Northern Command\nChief Information Officer, U.S. Pacific Command\nChief Information Officer, U.S. Southern Command\n\n\n                                           21\n\x0cChief Information Officer, U.S. Special Operations Command\nChief Information Officer, U.S. Strategic Command\nChief Information Officer, U.S. Transportation Command\n\nOther Defense Organizations\nChief Information Officer, American Forces Information Service\nChief Information Officer, Business Transformation Agency\nChief Information Officer, Defense Advanced Research Projects Agency\nChief Information Officer, Defense Commissary Agency\nChief Information Officer, Defense Contract Audit Agency\nChief Information Officer, Defense Contract Management Agency\nChief Information Officer, Defense Finance and Accounting Service\nChief Information Officer, Defense Information Systems Agency\nChief Information Officer, Defense Logistics Agency\nChief Information Officer, Defense Security Cooperation Agency\nChief Information Officer, Defense Security Service\nChief Information Officer, Defense Technical Information Center\nChief Information Officer, Defense Technology Security Administration\nChief Information Officer, Defense Threat Reduction Agency\nChief Information Officer, DoD Education Activity\nChief Information Officer, DoD Human Resources Activity\nChief Information Officer, DoD Inspector General\nChief Information Officer, DoD Test Resource Management Center\nChief Information Officer, Missile Defense Agency\nChief Information Officer, Pentagon Force Protection Agency\nChief Information Officer, TRICARE Management Agency\nChief Information Officer, U.S. Mission North Atlantic Treaty Organization\nChief Information Officer, Washington Headquarters Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs,\n  Committee on Oversight and Government Reform\n\n\n\n\n                                          22\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nRobert R. Johnson\nCelia J. Harrigan\nBryan T. Clark\nLiz Scullin\n\x0c\x0c'